ConfigsApr 16, 2026·3 min read

Polaris — Best Practices Validation for Kubernetes Clusters

Polaris audits your Kubernetes deployments against best practices for security, reliability, and efficiency, with a dashboard, CLI, and admission controller.

AI Open Source
AI Open Source · Community
TL;DR
Polaris validates Kubernetes workloads against security and reliability best practices.
§01

What it is

Polaris is an open-source tool by Fairwinds that validates Kubernetes resources against a configurable set of best practices. It catches misconfigurations like missing resource limits, containers running as root, and missing health checks before they cause outages or security incidents.

Polaris runs in three modes: a CLI audit tool for local checks, a web dashboard for cluster-wide visibility, and a validating admission webhook that blocks non-compliant deployments at apply time.

§02

How it saves time or tokens

Polaris automates the manual review of Kubernetes manifests that platform teams typically do in pull requests. Instead of checking each deployment for resource limits, security contexts, and health probes manually, Polaris runs a configurable set of checks automatically. In CI/CD pipelines, it catches issues before they reach the cluster. As an admission controller, it prevents non-compliant resources from being created at all, reducing incident response time.

§03

How to use

  1. Install and run the CLI audit:
brew install FairwindsOps/tap/polaris
polaris audit --format=pretty
  1. Audit a single YAML file in CI:
polaris audit --audit-path deployment.yaml --format=json
  1. Run the dashboard for a visual cluster overview:
polaris dashboard --port 8080
# Open http://localhost:8080
§04

Example

A Kubernetes deployment that passes all Polaris checks:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: api-server
spec:
  replicas: 2
  selector:
    matchLabels:
      app: api-server
  template:
    spec:
      securityContext:
        runAsNonRoot: true
      containers:
        - name: api
          image: myapp:v1.2.3  # pinned tag, not latest
          securityContext:
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 500m
              memory: 512Mi
          livenessProbe:
            httpGet:
              path: /healthz
              port: 8080
          readinessProbe:
            httpGet:
              path: /ready
              port: 8080
§05

Related on TokRepo

  • DevOps tools — More Kubernetes and infrastructure tools on TokRepo.
  • Security tools — Browse security validation and auditing tools.
§06

Common pitfalls

  • Running Polaris audit without customizing the config scores legacy workloads harshly. Adjust severity levels and disable irrelevant checks for your environment.
  • Deploying the admission webhook without a dry-run period blocks legitimate deployments. Start in audit mode, review results, then switch to enforcement.
  • Not integrating Polaris into CI/CD means issues are caught too late. Add polaris audit to your pipeline to shift validation left.

Frequently Asked Questions

What checks does Polaris perform?+

Polaris checks for missing resource requests and limits, containers running as root, missing liveness and readiness probes, use of the latest image tag, privilege escalation, read-only root filesystem, host network usage, and more. Custom checks can be defined in YAML.

Can I use Polaris in CI/CD pipelines?+

Yes. Run polaris audit --audit-path on your manifests in CI. It returns a non-zero exit code if critical checks fail, which blocks the pipeline. Use --format=json for machine-readable output.

How does the admission controller work?+

Polaris runs as a validating admission webhook in your Kubernetes cluster. When a resource is created or updated, Polaris evaluates it against the configured checks and rejects it if critical checks fail.

Can I customize the check severity levels?+

Yes. Each check has a severity level (ignore, warning, danger). You configure this in a polaris.yaml file. Set organization-specific policies by adjusting which checks are warnings vs blocking errors.

Does Polaris work with Helm charts?+

Polaris audits rendered Kubernetes manifests, not Helm chart templates directly. Use helm template to render your chart, then pipe the output to polaris audit --audit-path for validation.

Citations (3)
Related on TokRepo
DevOps toolsSecurity toolsFeatured workflows

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

Conda — Cross-Platform Package and Environment Manager

Install, update, and manage packages and isolated environments for Python, R, C/C++, and hundreds of other languages from a single tool.

AI Open Source

Sphinx — Python Documentation Generator

Generate professional documentation from reStructuredText and Markdown with cross-references, API autodoc, and multiple output formats.

AI Open Source

Neutralinojs — Lightweight Cross-Platform Desktop Apps

Build desktop applications with HTML, CSS, and JavaScript using a tiny native runtime instead of bundling Chromium.

AI Open Source
Home🔍Search👤Me